SE-PostgreSQL for Fedora (Re: Guideline for RPM packages)

KaiGai Kohei kaigai at kaigai.gr.jp
Thu Jul 26 16:25:04 UTC 2007 

By the way, I'm seeking sponsors who can review SE-PostgreSQL package.

  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249522

If you can volunteer the reviewing process, please contact me.

Thanks,

>>>> If I remember correctly, someone posted a guideline to make
>>>> a RPM package which contains binary security policy, several
>>>> weeks ago.
>>>>
>>>> If you know the URL, would you tell me the location?
>>> There is a draft guide at:
>>> http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules
>> Thanks, so much!
> 
> I have a comment for the Policy Module Packaging Guideline.
> 
> The document says every *.pp files should be installed for any sort of policies
> (targeted, strict, mls) in the %post section.
> However, it can cause a problem when a part of policies are not installed yet.
> 
> When we try to install an application including policy package on the system
> which has only targeted policy, installation of *.pp files for strict/mls will
> be failed no need to say.
> If we want to install selinux-policy-strict or -mls later, the oraphan *.pp files
> are not linked automatically because "/usr/bin/semodule -i" is not invoked.
> It will cause a simple problem, but a bit difficult to find out.
> 
> I have an idea that uses "%triggerin" to invoke "/use/bin/semodule -i" to link
> orphan *.pp files on instllation of selinux-policy-* packages later, as follows:
> 
> ----------------
>   %triggerin -- selinux-policy-targeted
>   if [ $0 -eq 1 ]; then
>       /usr/sbin/semodule -s targeted -i %{_datadir}/selinux/targeted/mymodule.pp &> /dev/null || :
>   fi
>   %triggerin -- selinux-policy-strict
>   if [ $0 -eq 1 ]; then
>       /usr/sbin/semodule -s strict -i %{_datadir}/selinux/strict/mymodule.pp &> /dev/null || :
>   fi
>   %triggerin -- selinux-policy-mls
>   if [ $0 -eq 1 ]; then
>       /usr/sbin/semodule -s mls -i %{_datadir}/selinux/mls/mymodule.pp &> /dev/null || :
>   fi
> ----------------
> 
> If the application is installed on the system which already has selinux-policy-strict,
> "%triggerin -- selinux-policy-strict" will be invoked just when the application is
> installed, so there is no degrading.
> 
> Thanks,

--
KaiGai Kohei <kaigai at kaigai.gr.jp>

More information about the fedora-selinux-list mailing list